Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:04:22, on 2008-03-09
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal
Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wuauclt.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Linksys\Network Storage\Network Drive Mapping Utility.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Opera\Opera.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Piotrek\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft....k/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft....k/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft....k/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft....k/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft....k/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Network Drive Mapping Utility] "C:\Program Files\Linksys\Network Storage\Network Drive Mapping Utility.exe" Z
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Show missed alarms] C:\Program Files\Alarm\Alarm.exe
O4 - HKCU\..\Run: [Network Drive Mapping Utility] "C:\Program Files\Linksys\Network Storage\Network Drive Mapping Utility.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O8 - Extra context menu item: Locate Spot on Map by GPS - C:\Program Files\Opanda\IExif 2.3\IExifMap.htm
O8 - Extra context menu item: View Exif/GPS/IPTC with IExif - C:\Program Files\Opanda\IExif 2.3\IExifCom.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://fpdownload2.m...ash/swflash.cabO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Urządzenie mobilne Apple (Apple Mobile Device) - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Usługa iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
--
End of file - 10983 bytes
ComboFix 08-03-08.2 - Piotrek 2008-03-09 11:19:50.2 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6000.0.1250.1.1033.18.328 [GMT 1:00]
Running from: C:\Users\Piotrek\Desktop\ComboFix.exe
Command switches used :: C:\Users\Piotrek\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\Windows\config.ini
C:\Windows\fbdzj.exe
C:\Windows\ftebh.exe
C:\Windows\fzmxg.dll
C:\Windows\sysockeu.exe
C:\Windows\sysodkcs.exe
C:\Windows\sysoghcx.exe
C:\Windows\sysokuaw.exe
C:\Windows\sysounrk.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Windows\config.ini
C:\Windows\fbdzj.exe
C:\Windows\ftebh.exe
C:\Windows\fzmxg.dll
C:\Windows\sysockeu.exe
C:\Windows\sysodkcs.exe
C:\Windows\sysoghcx.exe
C:\Windows\sysokuaw.exe
C:\Windows\sysounrk.exe
.
((((((((((((((((((((((((( Files Created from 2008-02-09 to 2008-03-09 )))))))))))))))))))))))))))))))
.
2008-03-06 17:48 . 2008-03-06 17:48 <DIR> d-------- C:\Program Files\Uniblue
2008-03-06 15:25 . 2008-03-06 15:25 <DIR> d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-03-06 15:25 . 2008-03-06 15:25 <DIR> d-------- C:\ProgramData\SUPERAntiSpyware.com
2008-03-06 15:23 . 2008-03-06 15:23 <DIR> d-------- C:\Users\Piotrek\AppData\Roaming\SUPERAntiSpyware.com
2008-03-06 15:23 . 2008-03-06 15:23 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-06 15:02 . 2007-12-10 14:53 81,288 --a------ C:\Windows\System32\drivers\iksyssec.sys
2008-03-06 15:02 . 2007-12-10 14:53 66,952 --a------ C:\Windows\System32\drivers\iksysflt.sys
2008-03-06 15:02 . 2008-02-01 12:55 42,376 --a------ C:\Windows\System32\drivers\ikfilesec.sys
2008-03-06 15:02 . 2007-12-10 14:53 29,576 --a------ C:\Windows\System32\drivers\kcom.sys
2008-03-06 15:01 . 2008-03-06 15:01 <DIR> d-------- C:\Users\Piotrek\AppData\Roaming\PC Tools
2008-03-06 15:01 . 2008-03-06 17:19 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-03-06 14:35 . 2008-03-06 14:43 <DIR> d-------- C:\Users\Piotrek\AppData\Roaming\Spyware Terminator
2008-03-06 14:35 . 2008-03-06 14:56 <DIR> d-------- C:\Users\All Users\Spyware Terminator
2008-03-06 14:35 . 2008-03-06 14:56 <DIR> d-------- C:\ProgramData\Spyware Terminator
2008-03-06 14:35 . 2008-03-06 14:55 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-03-06 14:35 . 2008-03-06 14:35 138,752 --a------ C:\Windows\System32\drivers\sp_rsdrv2.sys
2008-03-06 13:58 . 2008-03-06 13:58 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-03-06 13:57 . 2008-03-09 11:13 <DIR> d-------- C:\Users\All Users\Kaspersky Lab
2008-03-06 13:57 . 2008-03-09 11:13 <DIR> d-------- C:\ProgramData\Kaspersky Lab
2008-03-05 23:53 . 2008-03-05 23:53 <DIR> d-------- C:\Users\Piotrek\AppData\Roaming\Grisoft
2008-03-05 23:50 . 2008-03-05 23:50 <DIR> d-------- C:\Users\All Users\Grisoft
2008-03-05 23:50 . 2008-03-05 23:50 <DIR> d-------- C:\ProgramData\Grisoft
2008-03-05 23:50 . 2007-05-30 13:10 10,872 --a------ C:\Windows\System32\drivers\AvgAsCln.sys
2008-03-05 23:35 . 2008-03-05 23:35 3,932,214 --a------ C:\Windows\mywallpaper.bmp
2008-02-27 00:40 . 2008-02-27 00:40 <DIR> d-------- C:\Program Files\Gadu-Gadu
2008-02-22 10:01 . 2008-02-22 10:14 <DIR> d-------- C:\Program Files\Opanda
2008-02-21 01:01 . 2008-02-21 01:01 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-02-20 22:48 . 2008-02-20 23:03 <DIR> d-------- C:\Users\Piotrek\AppData\Roaming\Nikon
2008-02-20 22:39 . 2008-02-25 19:52 20 ---h----- C:\Users\All Users\PKP_DLdw.DAT
2008-02-20 22:39 . 2008-02-25 19:52 20 ---h----- C:\ProgramData\PKP_DLdw.DAT
2008-02-20 22:36 . 2008-02-20 22:36 <DIR> d-------- C:\Program Files\Common Files\muvee Technologies
2008-02-20 22:35 . 2008-02-20 22:35 <DIR> d-------- C:\Users\All Users\Nikon
2008-02-20 22:35 . 2008-02-20 22:35 <DIR> d-------- C:\ProgramData\Nikon
2008-02-20 22:35 . 2008-02-20 22:39 <DIR> d-------- C:\Program Files\Nikon
2008-02-20 22:35 . 2008-02-20 22:51 <DIR> d-------- C:\Program Files\Common Files\Nikon
2008-02-20 22:34 . 2008-02-20 22:39 <DIR> d-------- C:\Users\All Users\Ultima_T15
2008-02-20 22:34 . 2008-02-20 22:39 <DIR> d-------- C:\Users\All Users\EnterNHelp
2008-02-20 22:34 . 2008-02-20 22:39 <DIR> d-------- C:\ProgramData\Ultima_T15
2008-02-20 22:34 . 2008-02-20 22:39 <DIR> d-------- C:\ProgramData\EnterNHelp
2008-02-20 22:34 . 2008-02-25 19:26 20 ---h----- C:\Users\All Users\PKP_DLdu.DAT
2008-02-20 22:34 . 2008-02-25 19:26 20 ---h----- C:\ProgramData\PKP_DLdu.DAT
2008-02-20 02:10 . 2008-02-20 02:10 <DIR> d-------- C:\Program Files\Phun
2008-02-20 02:04 . 2008-02-20 02:05 <DIR> d-------- C:\Users\Piotrek\AppData\Roaming\Ventrilo
2008-02-15 00:10 . 2008-02-15 00:10 <DIR> d-------- C:\Program Files\Ventrilo
2008-02-14 01:13 . 2008-02-14 01:13 194,560 --a------ C:\Windows\System32\WebClnt.dll
2008-02-14 01:13 . 2008-02-14 01:13 110,080 --a------ C:\Windows\System32\drivers\mrxdav.sys
2008-02-14 01:11 . 2008-02-14 01:11 1,585,664 --a------ C:\Windows\System32\setupapi.dll
2008-02-14 01:11 . 2008-02-14 01:11 613,888 --a------ C:\Windows\System32\wpd_ci.dll
2008-02-14 01:11 . 2008-02-14 01:11 558,080 --a------ C:\Windows\System32\oleaut32.dll
2008-02-14 01:11 . 2008-02-14 01:11 260,096 --a------ C:\Windows\System32\dpx.dll
2008-02-14 01:11 . 2008-02-14 01:11 224,824 --a------ C:\Windows\System32\clfs.sys
2008-02-14 01:11 . 2008-02-14 01:11 221,696 --a------ C:\Windows\System32\umpnpmgr.dll
2008-02-14 01:11 . 2008-02-14 01:11 101,888 --a------ C:\Windows\System32\drvinst.exe
2008-02-14 01:11 . 2008-02-14 01:11 19,456 --a------ C:\Windows\System32\cfgmgr32.dll
2008-02-14 01:11 . 2008-02-14 01:11 6,656 --a------ C:\Windows\System32\kbd106n.dll
2008-02-14 01:07 . 2008-02-14 01:07 3,504,696 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-02-14 01:07 . 2008-02-14 01:07 3,470,392 --a------ C:\Windows\System32\ntoskrnl.exe
2008-02-14 01:07 . 2008-02-14 01:07 154,624 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-02-14 01:07 . 2008-02-14 01:07 109,624 --a------ C:\Windows\System32\drivers\ataport.sys
2008-02-14 01:07 . 2008-02-14 01:07 45,112 --a------ C:\Windows\System32\drivers\pciidex.sys
2008-02-14 01:07 . 2008-02-14 01:07 21,560 --a------ C:\Windows\System32\drivers\atapi.sys
2008-02-14 01:07 . 2008-02-14 01:07 15,928 --a------ C:\Windows\System32\drivers\pciide.sys
2008-02-14 01:06 . 2008-02-14 01:06 806,400 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-02-14 01:06 . 2008-02-14 01:06 217,144 --a------ C:\Windows\System32\drivers\netio.sys
2008-02-14 01:06 . 2008-02-14 01:06 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-02-14 01:06 . 2008-02-14 01:06 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-02-14 01:06 . 2008-02-14 01:06 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-02-14 01:05 . 2008-02-14 01:05 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-14 01:05 . 2008-02-14 01:05 1,686,528 --a------ C:\Windows\System32\gameux.dll
2008-02-10 19:33 . 2008-02-10 19:33 <DIR> d-------- C:\peanut
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-09 10:15 --------- d-----w C:\Users\Piotrek\AppData\Roaming\Skype
2008-03-09 10:12 --------- d---a-w C:\ProgramData\TEMP
2008-03-09 10:10 350,468 ---ha-w C:\Windows\system32\drivers\vsconfig.xml
2008-03-09 07:01 --------- d-----w C:\Users\Piotrek\AppData\Roaming\skypePM
2008-03-06 15:49 351,744 ----a-w C:\Windows\Internet Logs\xDB8C61.tmp
2008-03-06 14:16 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-04 22:32 --------- d-----w C:\Program Files\Warcraft III
2008-02-28 22:18 1,488,384 ----a-w C:\Windows\Internet Logs\xDB97AC.tmp
2008-02-14 00:05 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-14 00:05 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-14 00:05 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-14 00:05 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-14 00:02 824,832 ----a-w C:\Windows\System32\wininet.dll
2008-02-14 00:02 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-14 00:02 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-14 00:02 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-02-13 17:35 1,934,478 ----a-w C:\Windows\Internet Logs\tvDebug.zip
2008-02-04 19:11 --------- d-----w C:\ProgramData\Poszukiwacze Zaginionej Warszawy
2008-02-04 18:43 --------- d-----w C:\Program Files\Warszawa
2008-02-03 22:26 --------- d-----w C:\Program Files\AusLogics BoostSpeed
2008-02-03 19:46 --------- d-----w C:\Program Files\Softland
2008-02-03 19:42 --------- d-----w C:\Program Files\FreeMind
2008-02-02 20:20 1,410,560 ----a-w C:\Windows\Internet Logs\xDB8BF4.tmp
2008-02-02 19:00 32 ----a-w C:\Users\All Users\ezsid.dat
2008-02-02 19:00 32 ----a-w C:\ProgramData\ezsid.dat
2008-02-02 18:58 --------- d-----w C:\ProgramData\Skype
2008-02-02 18:58 --------- d-----w C:\Program Files\Skype
2008-02-02 18:58 --------- d-----w C:\Program Files\Common Files\Skype
2008-01-28 06:00 2,715,648 ----a-w C:\Windows\Internet Logs\xDB885A.tmp
2008-01-19 15:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-19 15:07 --------- d-----w C:\Program Files\Linksys
2008-01-19 15:07 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-19 13:42 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-09 00:17 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-09 00:17 --------- d-----w C:\Program Files\Windows Mail
2008-01-09 00:06 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-01-09 00:06 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2008-01-09 00:06 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-01-08 21:33 1,379,328 ----a-w C:\Windows\Internet Logs\xDBE29F.tmp
2007-12-28 23:43 1,366,528 ----a-w C:\Windows\Internet Logs\xDB921E.tmp
2007-12-12 00:09 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2007-12-12 00:09 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2007-12-12 00:09 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-08-30 04:18 174 --sha-w C:\Program Files\desktop.ini
.
((((((((((((((((((((((((((((( snapshot@2008-03-09_ 7.35.56,64 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-09 05:37:59 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-03-09 10:10:37 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-03-09 06:05:37 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-03-09 10:14:56 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-03-08 23:01:03 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-03-09 10:14:30 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-03-09 06:23:37 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-03-09 06:41:31 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-03-08 23:00:58 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-03-09 10:14:23 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-03-09 06:10:49 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-03-09 10:25:22 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-03-09 06:10:49 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-09 10:25:22 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-03-09 06:10:49 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-03-09 10:25:22 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-03-08 15:07:11 8,136 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-626618699-1994527308-801062002-1000_UserData.bin
+ 2008-03-09 10:14:55 8,152 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-626618699-1994527308-801062002-1000_UserData.bin
- 2008-03-08 15:07:10 61,318 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-03-09 10:14:54 61,446 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-03-08 19:12:26 41,000 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-03-09 10:14:37 41,200 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2008-03-09 05:38:02 246,970 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
+ 2008-03-09 08:52:34 247,672 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 13:35 2159104 C:\Windows\System32\oobefldr.dll]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2005-09-03 14:18 94208]
"Show missed alarms"="C:\Program Files\Alarm\Alarm.exe" [2006-09-12 14:12 253984]
"Network Drive Mapping Utility"="C:\Program Files\Linksys\Network Storage\Network Drive Mapping Utility.exe" [2007-08-24 10:55 286336]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 17:22 21898024]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-11-14 11:54 2131392]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-08-23 00:22 1006264]
"amd_dc_opt"="C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 15:49 77824]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"NWEReboot"="" []
"NeroFilterCheck"="C:\Windows\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 14:10 271360]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-09-11 22:28 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-09-11 22:28 8497696]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-09-11 22:28 81920]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36 267048]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-04 05:24 960240]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-01-08 22:26 68640]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 22:17 52256]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"Network Drive Mapping Utility"="C:\Program Files\Linksys\Network Storage\Network Drive Mapping Utility.exe" [2007-08-24 10:55 286336]
"RegistryMechanic"="" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" [2007-11-19 14:40 231952]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 12:55 1103240]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 09:17 1241088]
C:\Users\Piotrek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Nikon Monitor.lnk - C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-06-14 19:39:18 479232]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{F660E819-41D8-457B-8AC5-C030914B6AB0}C:\program files\gadu-gadu\gg.exe"= UDP:C:\program files\gadu-gadu\gg.exe:Gadu-Gadu - program główny|Desc=Gadu-Gadu - program główny
"UDP Query User{6C91CB71-A27B-4F49-8954-35FFA4398B5C}C:\program files\gadu-gadu\gg.exe"= TCP:C:\program files\gadu-gadu\gg.exe:Gadu-Gadu - program główny|Desc=Gadu-Gadu - program główny
"TCP Query User{7F3B179E-83E4-4E34-BDFC-48D0CDC1F232}C:\program files\gadu-gadu\gg.exe"= UDP:C:\program files\gadu-gadu\gg.exe:Gadu-Gadu - program główny|Desc=Gadu-Gadu - program główny
"UDP Query User{B1EC7833-FEFD-4406-A4E6-383987B24817}C:\program files\gadu-gadu\gg.exe"= TCP:C:\program files\gadu-gadu\gg.exe:Gadu-Gadu - program główny|Desc=Gadu-Gadu - program główny
"TCP Query User{2C8AADE8-71F7-42BC-B0B7-DA00C50D0E0F}C:\program files\internet explorer\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer|Desc=Internet Explorer
"UDP Query User{8FC3C74F-C1F1-4ECB-9D16-3B01B3C04905}C:\program files\internet explorer\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer|Desc=Internet Explorer
"TCP Query User{A6439DEE-64D3-4EDB-BEA2-0CEF2274AD59}C:\program files\emule\emule.exe"= UDP:C:\program files\emule\emule.exe:eMule|Desc=eMule
"UDP Query User{F441AFB9-8050-4A4D-84B5-2EC646131840}C:\program files\emule\emule.exe"= TCP:C:\program files\emule\emule.exe:eMule|Desc=eMule
"TCP Query User{58216B4C-23A9-49D9-ACB4-AAA066FB7566}C:\program files\emule\emule.exe"= UDP:C:\program files\emule\emule.exe:eMule|Desc=eMule
"UDP Query User{3926461B-43B3-4FD9-B5BB-B0105640F174}C:\program files\emule\emule.exe"= TCP:C:\program files\emule\emule.exe:eMule|Desc=eMule
"TCP Query User{45087D7F-BFA0-40AE-8717-6221C3AD26D3}C:\program files\opera\opera.exe"= UDP:C:\program files\opera\opera.exe:Opera Internet Browser|Desc=Opera Internet Browser
"UDP Query User{7BF067AB-864C-4383-9063-E97D0CD845F8}C:\program files\opera\opera.exe"= TCP:C:\program files\opera\opera.exe:Opera Internet Browser|Desc=Opera Internet Browser
"TCP Query User{12C43768-FEB8-42E4-9CFF-BBE239D35D4B}C:\program files\opera\opera.exe"= UDP:C:\program files\opera\opera.exe:Opera Internet Browser|Desc=Opera Internet Browser
"UDP Query User{5E2CA1C9-D734-4271-B266-F0ADE6A0A495}C:\program files\opera\opera.exe"= TCP:C:\program files\opera\opera.exe:Opera Internet Browser|Desc=Opera Internet Browser
"TCP Query User{91AA4285-FDF7-48A7-AD1C-9B083229CDAE}C:\users\piotrek\appdata\local\temp\ixp000.tmp\rbot.exe"= UDP:C:\users\piotrek\appdata\local\temp\ixp000.tmp\rbot.exe:rbot.exe|Desc=rbot.exe
"UDP Query User{44385FD4-115D-41FE-AB6F-8EE8A8218D9C}C:\users\piotrek\appdata\local\temp\ixp000.tmp\rbot.exe"= TCP:C:\users\piotrek\appdata\local\temp\ixp000.tmp\rbot.exe:rbot.exe|Desc=rbot.exe
"TCP Query User{9EB95885-F0EE-491A-91FD-23B5D3C73F54}C:\program files\last.fm\lastfm.exe"= UDP:C:\program files\last.fm\lastfm.exe:Last.fm|Desc=Last.fm
"UDP Query User{6930FAF0-A87B-41DF-81AF-ADEDAFF8A596}C:\program files\last.fm\lastfm.exe"= TCP:C:\program files\last.fm\lastfm.exe:Last.fm|Desc=Last.fm
"TCP Query User{3A25ED4D-F416-4D4A-91E8-DB3C92EA878F}C:\program files\last.fm\lastfm.exe"= UDP:C:\program files\last.fm\lastfm.exe:Last.fm|Desc=Last.fm
"UDP Query User{DE8EDADD-D37D-4EC0-860D-D675C6AC8F44}C:\program files\last.fm\lastfm.exe"= TCP:C:\program files\last.fm\lastfm.exe:Last.fm|Desc=Last.fm
"{677316DA-7DE3-4AFE-AC61-DCBB0AAA15C8}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{070587DB-C900-427C-B8CD-88DBC9C9CEB1}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{9D0CD623-5265-4F5E-8DC7-73B2FA84C1A5}C:\program files\warcraft iii\war3.exe"= UDP:C:\program files\warcraft iii\war3.exe:Warcraft III|Desc=Warcraft III
"UDP Query User{11C7E1FC-22AE-4464-B8FC-8DCD1B432FD1}C:\program files\warcraft iii\war3.exe"= TCP:C:\program files\warcraft iii\war3.exe:Warcraft III|Desc=Warcraft III
"TCP Query User{23390609-A07B-4C86-80F8-FD7F4695E5F1}C:\program files\warcraft iii\war3.exe"= UDP:C:\program files\warcraft iii\war3.exe:Warcraft III|Desc=Warcraft III
"UDP Query User{9609D59E-F1D9-4118-994E-F4BBC0A8090D}C:\program files\warcraft iii\war3.exe"= TCP:C:\program files\warcraft iii\war3.exe:Warcraft III|Desc=Warcraft III
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
R0 ntcdrdrv;ntcdrdrv;C:\Windows\system32\DRIVERS\ntcdrdrv.sys [2007-05-16 10:42]
R2 aswMonFlt;aswMonFlt;C:\Windows\system32\DRIVERS\aswMonFlt.sys [2007-12-04 15:52]
R3 L6DP;L6DP;C:\Windows\system32\Drivers\l6dp.sys [2007-01-30 02:22]
R3 L6TPortB;Service - Line 6 TonePort UX2;C:\Windows\system32\Drivers\L6TPortB.sys [2007-01-30 02:17]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2006-11-02 08:30]
S3 kvpndev;Kerio VPN adapter;C:\Windows\system32\DRIVERS\kvpndrv.sys [2007-05-25 14:55]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2eedb914-ab76-11dc-b46c-000129d2a37e}]
\shell\AutoRun\command - G:\
\shell\open\Command - rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e91f33ee-50fe-11dc-8aa3-806e6f6e6963}]
\shell\AutoRun\command - F:\App/Menu.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-03-09 11:27:48
Windows 6.0.6000 NTFS
detected NTDLL code modification:
ZwClose
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-09 11:29:41
ComboFix-quarantined-files.txt 2008-03-09 10:29:34
ComboFix2.txt 2008-03-09 06:37:06
.
2008-02-21 23:35:03 --- E O F ---